Singapore's first data breach?

by Latham & Watkins LLP

The Straits Times reported on 14 August that Singapore’s Personal Data Protection Commission (the “Commission”) is investigating a complaint from a user that Xiaomi has breached the Personal Data Protection Act 2012 (“PDPA”). This is believed to be the first investigation under the main PDPA rules unrelated to the Do Not Call registry which came into force on 2 July 2014. This investigation will be followed with interest as it may set the tone for how strictly the new privacy legislation will be enforced.

About the PDPA

The PDPA was introduced in phases during the first half of 2014 and is the first privacy specific legislation to be introduced in Singapore. The Do Not Call provisions, which are intended to protect individuals from direct marketing, came into force on 2 January 2014 and the remaining provisions on 2 July. The PDPA aims to implement measures which provide transparency for individuals about how their personal data is used by organisations. It also introduces potential fines for breaches of up to S$1 million per breach.

At a high level, the PDPA sets out a number of key obligations with which organisations must comply:

  • Notification - must notify individuals prior to collection of the purposes for which they intend to collect, use or disclose the individual's personal data;
  • Purpose - may only collect, use or disclose personal data about an individual for reasonable purposes in the circumstances or those that have been notified to the individual;
  • Consent - may only collect, use or disclose the personal data of an individual if consent has been obtained from that individual (subject to certain exclusions);
  • Access & Correction - individuals must be able to access and correct their personal data upon request to the organisation;
  • Accuracy, Protection and Retention - must take care of personal data, ensuring that it is:
    • accurate and complete (if it is likely to be (i) used to make a decision or (ii) disclosed to another organisation);
    • kept secure; and
    • only retained while there is a valid purpose or business or legal reason for doing so;
  • Transfer limitation – organisations must not transfer personal data to a country or territory outside Singapore except where it can ensure that a comparable standard of protection, as provided for under the PDPA, will be maintained over any personal data that is transferred; and
  • Openness (Compliance and Governance) - organisations are expected to have policies and practices in place to ensure compliance with the PDPA and appoint a single contact (the Data Protection Officer) to manage all privacy related issues for the organisation.

Three Do Not Call Registers and associated provisions to control the sending of marketing messages to Singapore telephone numbers were also established by the PDPA and have been in force since January. These provisions introduce fines of up to S$10,000 per marketing message sent in breach of the provisions. These have been strictly and publicly enforced since coming into effect and the Commission stated in a press release on 23 May 2014 that “investigations have been made in response to 3,700 valid complaints from members of the public against 630 organisations since the DNC provisions took effect on 2 January 2014.

The Complaint Against Xiaomi

Xiaomi is one of the top selling (some argue the top selling) smartphone brand in China, which is the world’s biggest smartphone market. Like many other smartphone brands, Xiaomi has a cloud messaging service (comparable services include Blackberry Messenger and Apple’s iMessage) that allows users to send messages over the internet to avoid potentially costly SMS or text messaging charges.

On 7 August F-Secure, a Finnish security firm, published the results of their test of a Xiaomi RedMi 1S phone and concluded that on start up the phone automatically sent certain personal data, including information from the user’s phone book, to an external server. Xiaomi Vice President Hugo Barra recently responded to this report stating that the transmitted data was part of Xiaomi's Cloud Messaging service, which can send messages via SMS and over the Internet but that Xiaomi does not store user personal data. Mr Barra has subsequently apologised to users and Xiaomi has introduced an update which makes the cloud messaging service an “opt-in” service (in much the same way as WhatsApp and WeChat) requiring user consent to the terms and the way in which personal data is collected, used and disclosed.

A user has filed a complaint with the Commission alleging that Xiaomi had disclosed his personal data without his consent when he used his phone in Singapore and as a result he was receiving unsolicited calls from overseas numbers.

What’s Next?

It is not unusual for smartphones and their applications to track users’ personal data in order to provide messaging services, but most specifically obtain “opt in” consent from users before doing so. The key difference with the Xiaomi situation is that the user is alleging that the phone automatically sent personal data to servers without explaining this to users or obtaining consent for such disclosure.

If the allegations are found to be correct then Xiaomi may have fallen foul of the disclosure obligations under the PDPA by disclosing personal user data to the servers without obtaining valid prior consent from users. In addition, depending on the location of the servers, it is possible that the Commission will consider whether there was a breach of the data transfer obligations, i.e. that personal data had been transferred to jurisdictions outside Singapore without ensuring that it was protected to an equivalent standard as under the PDPA.

It is important to remember that the PDPA has only very recently been implemented in Singapore and companies (and the Commission) are still getting to grips with how it operates in practice. It is possible that this, combined with the quick action taken by Xiaomi to resolve any potential data privacy concerns raised by users, may result in a more lenient stance from the Commission.

It is too early to know how the Commission will conduct its investigation and what the potential outcome may be. But incidents such as this serve as important reminders to companies operating and expanding internationally to be mindful of local data protection and privacy regulations, and the conduct of the investigation and its outcome will be instructive in understanding the teeth behind Singapore’s new data privacy regime.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Latham & Watkins LLP | Attorney Advertising

Written by:

Latham & Watkins LLP

Latham & Watkins LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.